aboutsummaryrefslogtreecommitdiff
path: root/src/or
diff options
context:
space:
mode:
Diffstat (limited to 'src/or')
-rw-r--r--src/or/onion.c8
1 files changed, 3 insertions, 5 deletions
diff --git a/src/or/onion.c b/src/or/onion.c
index b42a66c5a8..3f0b0b1e46 100644
--- a/src/or/onion.c
+++ b/src/or/onion.c
@@ -771,12 +771,9 @@ extended_cell_parse(extended_cell_t *cell_out,
const uint8_t command, const uint8_t *payload,
size_t payload_len)
{
- const uint8_t *eop;
-
memset(cell_out, 0, sizeof(*cell_out));
if (payload_len > RELAY_PAYLOAD_SIZE)
return -1;
- eop = payload + payload_len;
switch (command) {
case RELAY_COMMAND_EXTENDED:
@@ -970,12 +967,11 @@ int
extended_cell_format(uint8_t *command_out, uint16_t *len_out,
uint8_t *payload_out, const extended_cell_t *cell_in)
{
- uint8_t *p, *eop;
+ uint8_t *p;
if (check_extended_cell(cell_in) < 0)
return -1;
p = payload_out;
- eop = payload_out + RELAY_PAYLOAD_SIZE;
memset(p, 0, RELAY_PAYLOAD_SIZE);
switch (cell_in->cell_type) {
@@ -992,6 +988,8 @@ extended_cell_format(uint8_t *command_out, uint16_t *len_out,
*command_out = RELAY_COMMAND_EXTENDED2;
*len_out = 2 + cell_in->created_cell.handshake_len;
set_uint16(payload_out, htons(cell_in->created_cell.handshake_len));
+ if (2+cell_in->created_cell.handshake_len > RELAY_PAYLOAD_SIZE)
+ return -1;
memcpy(payload_out+2, cell_in->created_cell.reply,
cell_in->created_cell.handshake_len);
}